The recent WannaCry attacks that have proliferated throughout the NHS and other organisations across the globe prove that the disruption that ransomware can cause is not insignificant. Universities and other institutions of higher education should take note; a similar attack could bring a campus to its knees. Places of higher learning can be a playground for potential cyber threats because servers are loaded with private data of students, staff, and faculty. Because a university infrastructure is typically split between academic, student and services networks, with a constant rotation of devices, there are plenty of machines that are ripe for assault. Just like the NHS attack, once malware breaches the perimeter of any of these networks it can, and most likely will, proliferate quickly. Security must be a priority.
Universities are focused on providing excellent service to students. This means that, unlike the landscape 15 years ago, most university networks are at the cutting edge. They are becoming more open and compatible, while private data is being stored via cloud computing services. As a result, the number of unknown variables makes everything a little more complicated. Simplifying the process of protecting critical data requires employing a service that can read and react to the threat at hand without sacrificing network performance. However complicated the issues, the next couple of months should be plenty of time for any university to take appropriate steps to better secure their environment against campaigns similar to the WannCry attack.
1. Follow authoritative guidelines
An unfortunate side effect of the WannaCry attack is the sheer amount of noise online it is making. Separate the wheat from the chaff, and read only what the most authoritative sources are saying. The National Cyber Security Centre (NCSC) has issued guidance as to how best to reduce the likelihood of being held to ransom, and this should be any university IT administrator’s first port of call. Similarly, Microsoft released their own guidelines to stay safe.
2. Review change control processes
The WannaCry manifested itself due to a flaw in a Microsoft product that was remedied in a patch made available in March this year. The problems caused were not due to technology but because proper remediation hadn’t been applied.
Advanced networks require more formal and regular processes to accomplish change, and security systems must be updated accordingly to reflect the effect of any changes. It may sound obvious, but practicing good hygiene will go a long way towards preventing compromise. A recent security-automation survey of over 300 firms found that approximately 80 percent of companies that had a breach could have prevented the issue with a software patch or a configuration change.
Places of higher learning can be a playground for potential cyber threats because servers are loaded with private data of students, staff, and faculty
Establish and maintain a formal patching and updating protocol. Ideally, this would be automated and measured. In addition, a process needs to be implemented to identify and either replace or take offline those systems that can’t be patched. In our experience, the vast majority of compromises could have been prevented if organisations had simply taken the time to update or replace vulnerable systems. In addition, regularly make a good copy of your key assets, scan them for malware, and then physically store them offline in case ransomware or a similar disabling cyberattack does indeed hit you. This is a practical job and while it can be difficult to implement in huge university networks, the security benefits of a simple patching regime will far outweigh any complications in implementation.
3. Segregate the services network
The services network, for Internet access across campus, is the Wild West of university networks. Securing the point of entry is of paramount importance. It’s not sufficient to simply deploy Wi-Fi for students. It needs to be deployed in the context of security. This is NCSC’s idea of ‘secure by default’, whereby security is built-in from the ground up.
The best way to achieve a ‘secure by default’ university services network is by thorough segmentation, which can provide effective controls to mitigate the next step of a network intrusion and to limit further movement across the network or propagation of a threat. By segregating the network, universities can minimise the level of access to sensitive information for those applications, servers, and people who don’t need it, while enabling access for those that do. Meanwhile it makes it much more difficult for a cyber-attacker to locate and gain access to a university’s most sensitive information. The more segmentation and the more internal firewalling, the more control IT has.
Clearly, the above steps are easier said than done. However, they are perfectly possible to implement at relatively little additional cost. Universities should already have a lot of this in place, but by ensuring processes are in line with the technology investments that have already been made, the chances of a WannaCry type attack on a university are drastically diminished.